SANS Faculty Fellow Rob Lee created the SANS Investigative Forensic Toolkit(SIFT) Workstation, which is also featured in the SANS FOR 508 course, in order to show that advanced investigations and investigating hackers can be accomplished using freely available open-source tools. The new version of SIFT was just released and is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. More information on the SANS forensics curriculum and SIFT2.0 can be found on https://computer-forensics.sans.org/ , respectively the download section on that page.

OK .. looks indeed like an RTF with an embedded object. The pile of numbers are all ASCII codes in Hex, but before we can convert them to readable characters, we first have to strip away the initial two lines, because their presence would confuse the Perl statement that follows later.

So far, the old method still seems to work: We locate "objdata" in the RTF document, strip out everything in front, then feed the blob into Perl to convert the hexadecimal codes to actual ASCII characters. I changed the Perl command slightly compared to the earlier diary on the subject, because one of the problems that people seem to have is related to how "end of line" is treated on Windows vs Unix. The earlier version

is now really only printing out converted hex codes, and is dropping all the CR/LF line terminators that are present in the original file after every line. The resulting file is still in "Object Package" format, but if you look closely, you can see the tell-tale "MZ" that marks the start of an executable:

What makes this case a bit more convoluted than last year's example is that the bad guys tried real hard to disguise the contents. This time, the initial file had a .DOC extension, but was in fact an .RTF format, which contained an embedded COMPLA~1.EXE that had a harmless looking Icon (3.ico) and was displayed to the user as "docs.pdf". Yup,pretty sneaky. You can see all these file names in the hex output above.

Now, how to get the EXE out. According to the mentioned earlier diary, the numbers between the EXE filename and the "MZ" header mark the size of the executable that we need to cut out. In this case, we have "00 10 74 00 00" in that position: